Correctly configuring SNORT to block limewire from the LAN side



  • Hey guys,

    I've got SNORT humming along, but…I can not get it to block P2P/Limewire stuff.

    System setup:
    P4 2.8Ghz, 1GB DDR-400, 40GB IDE drive.
    Software:
    PFSense 1.2.3-Release, Snort 2.8.6, 1.27, Squid 2.7.9_1 and Lightsquid 1.7.1, also BandwidthD 2.0.1.2

    I've enabled SNORT on the WAN interface, manually updating the rules (thanks for the guide RUNE!!) and I can select rulesets.
    Rulesets enabled are emerging-p2p and p2p (along with a handful of others covering virus, spyware, scan, exploit etc)

    I'm hoping to build an all-round decent firewall with IPS detection and caching.

    Now the problem: Torrenting seems to be blocked now, but I can still fire up Limewire, search and download. I have the block offenders ticked, and when I look in the alerts log I do see things triggered with my WAN port as the source. I get entries in the blocked list if I fire up bitlord and try a download, the hosts are all external IPs, but limewire just keeps going.

    Can someone please assist me with this? I'm running out of ideas. Once I get this all working I'm intending to replace a Sonicwall (with the security subscriptions configured), but I need this to do the same base functions first :)

    TIA

    Joe



  • Bump - Anyone?
    Do I need to configure SNORT on the LAN interface instead of the WAN interface?



  • Out of curiosity, do you have UPnP disabled ?



  • PNP is disabled in the BIOS of the PFSense box.
    Is there another setting I need to disable or change? PFSense is all default with the exception of the Squid, Lightsquid, BandwidthD and SNORT packages installed.



  • DigitalJer is talking about UPnP http://en.wikipedia.org/wiki/Universal_Plug_and_Play not PNP.



  • In pfsense web gui:

    Services / UPnP, and ensure the "Enable UPnP" is de-selected.

    Not sure why Snort isn't blocking, but if for some reason UPnP is enabled, Limewire will happily open up all the ports it needs to communicate.



  • Ah - yes. uPNP is not enabled.

    I have configured SNORT to scan the WAN interface. Is this correct, or should SNORT be checking the LAN interface for Limewire?

    Ideally I want things like Limewire (I'm using this as an example, I'd like to block ALL P2P packages) and torrenting etc blocked silently - EG Limewire just doesn't connect without banning the host (Local LAN PC) from the Internet.

    Any more ideas?



  • First of all PfSense is not a L7 firewall. Completly blocking P2P will probably be mission imposible. You can run a tight outgoing policy set with only allowing port 80 and a few other to the outside, but P2P uses http ports as much as any other. What you can do, is use the trafic shaper to slow down P2P to a minimal or use a trafic quota for the users.

    What I do is allow my users full access, log the trafic and penalize them if theyre breaking the rules. Never had any need to block anything for them since I run that kind of policy.

    Hope it helps.



  • Sorry for the OT, but that's a good point; and that's how we treat our users in our office - like adults.  The new hires usually get a brief speech from one of us, to the effect of; we're all adults - complete and unfettered Internet usage isn't a problem unless it becomes a problem and/or we hear something from management.

    aka - gaming, slacking, surfing YouTube all day isn't our issue - it's a management issue.  Sure, we know who the slackers are - but usually keep quiet unless it's supremely excessive (causes bottlenecks or otherwise becomes disruptive), or management asks.  Sometimes we'll drop hints to a manager…and the problem quickly fixes itself.  Five years of this philosophy has resulted in only ONE person receiving discipline, no viruses, and only token spyware.

    We're not the Internet police :)  ...every office is different, but it's sure nice to be free of this stuff.


  • Rebel Alliance Developer Netgate

    @weselko:

    First of all PfSense is not a L7 firewall.

    It is in 2.0 :-)


Log in to reply